June 2008 Archives

Have I mentioned how much I love TED? I can't think of a better way to spend a spare five to twenty minutes than listening to important thinkers talk about interesting ideas.

This evening I listened to a couple of recent posts that together paint a dystopian picture of the future. If you extrapolate from one talk to the other, we may quickly have Cylons/Terminator/insert favorite scifi disaster here.

First, a 2003 talk by George Dyson on the birth of the computer. While he entire talk is fascinating and entertaining, you'll need to pay close attention to the section on Nils Aal Barricelli and his universe at the end.

Susan Blackmore is a memeticist, and the first portion of her talk is an introduction to memetics. After this she proposes a new type of meme, a techno-meme (or teme as she calls it), that is self replicating independent of human activity.

Apple's front page today links to a ComputerWorld article about the rise of OS X in business computing environments:

According to XSSed, HSBC is open to XSS attacks:

Evidently, major unwanted consequences could be a result of multiple cross-site scripting vulnerabilities affecting bank web sites. XSS must be considered as the phishers' future weapon by all people working in the security industry.

Scammers can register domains and set up fake bank web sites in a few minutes. With the help of bulk e-mailers they can phish personal sensitive data from thousands of unsuspecting web users.

If they want to own HSBC's e-banking customers, all they have to do is to register a "suspicious" looking domain like hscsbc.com which is currently available and then serve a phishing page.

Even better, they can exploit a cross-site scripting vuln on hsbc.com, obfuscate the attack vector and significantly increase their phishing success rate! [From HSBC web sites are open to critical XSS attacks. Warning to customers! | News | XSSed.com]

According to WhiteHat Security, patching an XSS vulnerability takes, on average, almost three on months. That's a long window of vulnerability.

I finally got around to wiping Vista from my Dell Inspiron 1521 and installing Ubuntu 8.04 LTS on it. I did a default install and found that almost everything worked fine:

• Sound works, though perhaps not with the same fidelity as under Vista.
• Laptop sleeps and wakes cleanly.
• Display works, even detected my 1680x1050 panel (an upgrade on the model).
• Keyboard volume/mute and screen brightness work.
• Wired NIC is fine.

The only thing that didn't work by default is the wireless card. Unfortunately, I don't think there is an open driver for the device, so I had to use NDIS to get it running. Here's what I did (point and click, no command line required):

First, we need to add third-party software sources to the package repositories. Open Sytem > Administrator > Synaptic and go to Settings > Repositories. Select the Third-Party Software tab and select both of the check boxes. Click Close, which returns you to the main Synaptic window. Now click Refresh.

Now that the third-part repositories are selected, click on Search and look for "ndisgtk." Click in its checkbox and select Mark for Installation. Now, click Apply in the main Synaptic window.

Why would you need to run a second instance? Well, perhaps this is a redundant machine that replicates production systems and needs to run a writable database as well. Or maybe you need to replicate two masters to a single box.

There are many reasons to run multiple MySQL instances, and you probably have already identified that need. Otherwise, you wouldn't be reading this howto.

First, as a clarification, this post is going to assume that you already have one instance of MySQL running in a more-or-less default configuration under OpenBSD.

The first thing you'll need to do is create a data directory with proper permissions for the second instance:

# mkdir /var/mysql_two
# chown _mysql:_mysql /var/mysql_two

Now populate the directory with a default database:

# mysql_install_db --datadir=/var/mysql_two --user=_mysql

If you're using my.cnf to set anything that shouldn't apply to both instances (such as replication or default engines), you'll need to create a second my.cnf file. We'll assume that this has been done as /etc/my2.cnf

Next, you need to edit /etc/rc.local in order to start both MySQL processes at boot . You probably already have something like this:

if [ -x /usr/local/bin/mysqld_safe ]; then
   /usr/local/bin/mysqld_safe --ssl-ca=/etc/ssl/ca-bundle.crt \
   --user=_mysql \
   --log-error=/var/log/mysql/mysqld-err.log &
   echo -n ' MySQL 5  Starting \n'
fi

You'll need to add an additional startup command to that block. Note that if you are specifying a second my.cnf file, that it needs to be the first flag provided to mysqld_safe:

From AlleyInsider:

A mobile company is porting Second Life to your phone. More precisely, some phones: Vollee, which helps game companies with the move to mobile, says it has figured out how to take Linden Lab's graphics-heavy game and put it on 40 3G and WiFi enabled handsets (no iPhone or BlackBerries, yet). It's free to anyone with an account in the virtual world.

The list of currently supported devices is disappointing, and even though I'm  a little bit skeptical, the video looks promising:

Three of the large players are guilty of cross site scripting vulnerabilities. This simply illustrates that the age of server-side vulnerabilities is coming to an end. I'm not saying that servers no longer have flaws, but that browser security is so lax that there's no reason to attack the much better understood and secured servers.

It's obviously out of control when vendors of this magnitude have problems with it. It's time to radically rethink browser design and security.

Verisign, McAfee and Symantec sites can be used for phishing due to XSS | News | XSSed.com

wonder how easy it would be for the bad guys to phish your clients, or their customer base - I don't think that they are all aware of the risks imposed by XSS vulnerabilities.

Realize now the risk impact and not until you are forced to do so...

McAfee.com XSS vulnerabilities:
mastdb3.mcafee.com XSS submitted by Zeitjak
knowledge.mcafee.com XSS submitted by C1c4Tr1Z
knowledge.mcafee.com XSS submitted by holisticinfosec
us.mcafee.com XSS submitted by TreX
mcafee.com XSS submitted by kusomiso.com
mcafee.com XSS submitted by www.r3t.n3t.nl
www.mcafee.com XSS submitted by kusomiso.com
knowledge.mcafee.com XSS submitted by i-landet

7 out of 8 XSS vulns are fixed.

Technorati Tags: xss, symantec, vulnerability, mcafee

Here's some good and bad news. First, it looks like managers in the Federal government are actually concerned about data breaches. The bad news is that most of them think they are secure (or have a high level of security). The intruders are inside -- it's pretty much guaranteed at this point. 

Verizon just had a data breach, and they can't blame the technology or attackers.

HAGERSTOWN — A mistake by Verizon that led to the printing of about 12,500 unlisted or nonpublished telephone numbers and corresponding addresses in a telephone book has prompted fear and anger in some of those affected.

One woman, who asked that her name not be used because she feared for her safety, said she began to cry when she learned that her unlisted number and address were printed in the recently released 2008-09 Washington County Phone Book.

* * *

In March, Verizon inadvertently sold the numbers to Ogden Directory Inc. for publication in the phone book, said Harry Mitchell, Verizon's director of media relations.

The phone books were in the process of being distributed by the post office, but Ogden officials last week asked that distribution be halted after the problem was discovered.

Mitchell said Verizon regrets the mistake.

[From The Herald-Mail]

While listening to talk about the inevitability of 0-day attacks today, I was reminded about a talk I heard at the University of Washington Computer Science Colloquium back in April by Michael Ernst from MIT.

It's easy to get focused on the security problems that confront us today and the limitations of our current tools. In the meantime, there is fabulous blue sky research going on everywhere (and even some great applied research like this project) that will become a whole new generation of tools.

The colloquium is recorded and available online. Here's an excerpt from the abstract:

A software monoculture -- many computers running the same application -- offers benefits for system administrators and users, but every copy of the application is vulnerable to the same security exploits. Our work enables a monoculture, or "application community", to automatically defend itself against previously unknown zero-day exploits, by creating patches that defeat those exploits without affecting application functionality.

Existing attack detectors (e.g., for buffer overflows and code injection) are able to prevent an attack by converting it to a crash. By contrast, in our approach the community members collaborate to learn from each attempted attack. The community learns how the application behaves when not under attack, what code is targeted by the attack, and how the attack affects application behavior. Based on this information, the community automatically generates and evaluates patches to find one that averts the attack.

Here's an MP4 download.

The german site EeePC News has photos, release specs, and price information for the new Acer Aspire One. Much as I love my EeePC, I might have purchased one too quickly -- the Acer looks fabulous.

From EeePC News (translated via google):

After the press conference ASUS, I am equal to rueber Acer to find photos of the launch of the Acer Aspire to make one. First impression: Very well-made and it comes with a special and rapid Linpus Linux or Windows XP. Preislich is from $ 379 los verbaute Intel and the nuclear aims 3h (3cell version) or 6h (6cell version) Duration gewaehren.

Dr. Anton Chuvakin, co-author of Security Warrior (highly recommended. I have purchased several copies for friends -- it's up there with Beyond Fear in my security reading list) is an expert in the subject of log management/analysis and I'm looking forward to listening to him speak on the subject tomorrow. For those not in Orlando (or stuck in TechEd down the road), here's a post on the subject from last week, and another from today:

Now, I have to first admit that, in general, dealing with logs on a device-specific basis is a cruel joke. What I mean here is when you gather Windows logs in one place, Linux logs in another place, database logs in yet another place; all in different formats, all in different systems not connected to each others, all managed by different people who don't talk to each other (and sometimes hate each other). Yuck! Basically, this situation is "logs at their worst": all different, all disjointed and, as a result, all next to useless.

However, there are rare situations where you can choose device-specific log management approach (and still not look like a money- and time-wasting and idiot :-)). For example, you might be motivated by the fact that tools that can handle one specific type of log data (e.g. Windows-only, web server-only or Cisco PIX-only) are usually many times less expensive than cross-device log management tools. The table below clarifies it: [From Cross-Device-Type Log Management vs Device-Specific Log Management]

I consider logs a vastly under-utilized resource for intelligence gathering and threat assessment and have been thinking a lot about log federation and visualization, so tomorrow's session should be exceptionally interesting.

I'm at the GFIRST conference in sunny Orlando this week. Oddly, I found this article via Bruce Schneier during lunch while attending a full-day cram session on control system security. As Schneier noted, the article has already been debunked, it's still an interesting study in both how the media deals with complex technical issues as well as offering some insight into the control system hot potato.

Computer hackers in China, including those working on behalf of the Chinese government and military, have penetrated deeply into the information systems of U.S. companies and government agencies, stolen proprietary information from American executives in advance of their business meetings in China, and, in a few cases, gained access to electric power plants in the United States, possibly triggering two recent and widespread blackouts in Florida and the Northeast, according to U.S. government officials and computer-security experts.

h One prominent expert told National Journal he believes that China's People's Liberation Army played a role in the power outages. Tim Bennett, the former president of the Cyber Security Industry Alliance, a leading trade group, said that U.S. intelligence officials have told him that the PLA in 2003 gained access to a network that controlled electric power systems serving the northeastern United States. The intelligence officials said that forensic analysis had confirmed the source, Bennett said. "They said that, with confidence, it had been traced back to the PLA." These officials believe that the intrusion may have precipitated the largest blackout in North American history, which occurred in August of that year. A 9,300-square-mile area, touching Michigan, Ohio, New York, and parts of Canada, lost power; an estimated 50 million people were affected. [From National Journal Magazine - China's Cyber-Militia]

On a side note, I can see the giant golfball from my room (which is fun, since I'm partial to the Disney parks). I took this yesterday with my Motorola Q (not the best camera, but it is what it is).